Google results re-direct to random websites (and computer is slow)

[ken545]

Hi,

Lets do this.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

C:\ProgramData\AMFucJFMaVdteYf.exe<--This file

If the site is busy you can try this one
http://virusscan.jotti.org/en





Open OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :processes
  killallprocesses
  
  :OTL
  O3 - HKU\S-1-5-21-565932158-212264510-2539292498-1000\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
  O3 - HKU\S-1-5-21-565932158-212264510-2539292498-1000\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
  O3 - HKU\S-1-5-21-565932158-212264510-2539292498-1000\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
  
  
  :Services
  
  :Reg
  
  :Files
  ipconfig /flushdns /c
  
  
  
  
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top. <--Not run Scan
• Let the program run unhindered, reboot when it is done
• Then post the results of the log it produces.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

[spikyspud]

I tried to locate the file you indicated, however I am not able to locate it in the directory. I made sure hidden and system files were visible as per the guide and also carried out a search across all drives (including non-indexed locations, hidden and system files) for the filename with no result.

I did run the OTL program as requested, the log file that was produced on re-boot is below, I will post the updated OTL.txt in a follow on post:

All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-565932158-212264510-2539292498-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
Registry value HKEY_USERS\S-1-5-21-565932158-212264510-2539292498-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_USERS\S-1-5-21-565932158-212264510-2539292498-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Sandra\Desktop\cmd.bat deleted successfully.
C:\Users\Sandra\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Sandra
->Temp folder emptied: 113752 bytes
->Temporary Internet Files folder emptied: 39687689 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1335 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1610 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 2293146 bytes

Total Files Cleaned = 40.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 11292011_132318

Files\Folders moved on Reboot...
File\Folder C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat not found!
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLBW5VU0\Adpepper-UK[1].htm moved successfully.
File\Folder C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLBW5VU0\fw-nonplayer-banner[1].htm not found!
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLBW5VU0\in[1].htm moved successfully.
File\Folder C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJDWXTU4\eas[1].htm not found!
File\Folder C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJDWXTU4\fw-nonplayer-banner[1].htm not found!
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJDWXTU4\okinsider_mevio_com[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJDWXTU4\sandbox[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJDWXTU4\sandbox[2].htm moved successfully.
File\Folder C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJDWXTU4\t1p3256b28845r996119855S1[1].htm not found!
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GRK2N9J0\emily[1].html moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GRK2N9J0\in[2].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GRK2N9J0\protocolassoc[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GRK2N9J0\redirect_v94_cim_11_16_1[1].html moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GRK2N9J0\showthread[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GRK2N9J0\xd_receiver[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K8SYDYF\kim-kardashian-herman-cain-occupy-wall-street[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K8SYDYF\login_status[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K8SYDYF\login_status[2].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K8SYDYF\PER-JAM-LOB-YMGLS1-030-GBR-001-Clip1-110711081835886-94230[1].m4v moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K8SYDYF\xd_receiver[1].htm moved successfully.

Registry entries deleted on Reboot...

[spikyspud]

OTL logfile created on: 29/11/2011 13:29:23 - Run 4
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Sandra\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19154)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.75 Gb Total Physical Memory | 0.82 Gb Available Physical Memory | 46.72% Memory free
3.74 Gb Paging File | 2.72 Gb Available in Paging File | 72.90% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 144.29 Gb Total Space | 89.32 Gb Free Space | 61.90% Space Free | Partition Type: NTFS
Drive D: | 144.04 Gb Total Space | 143.94 Gb Free Space | 99.94% Space Free | Partition Type: NTFS

Computer Name: SANDRA-PC | User Name: Sandra | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Sandra\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe (CyberLink)
PRC - C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
PRC - C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
PRC - C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark X1100 Series\LXBKbmon.exe (Lexmark International, Inc.)
PRC - C:\Windows\System32\lxbkcoms.exe ( )


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - (NisSrv) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (Acer HomeMedia Connect Service) -- C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe (CyberLink)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
SRV - (lxbk_device) -- C:\Windows\System32\lxbkcoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)
DRV - (GemCCID) -- C:\Windows\System32\drivers\GemCCID.sys (Gemalto)
DRV - (USBCCID) -- C:\Windows\System32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (nvstor32) -- C:\Windows\system32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (nvrd32) -- C:\Windows\system32\drivers\nvrd32.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys (Acer, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-565932158-212264510-2539292498-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cars.uk.msn.com/
IE - HKU\S-1-5-21-565932158-212264510-2539292498-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.bing.comhttp://www.google.co.uk/ [binary data]
IE - HKU\S-1-5-21-565932158-212264510-2539292498-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-565932158-212264510-2539292498-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-565932158-212264510-2539292498-1000\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found
IE - HKU\S-1-5-21-565932158-212264510-2539292498-1000\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKU\S-1-5-21-565932158-212264510-2539292498-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Sandra\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Sandra\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)


[2010/11/23 15:18:28 | 000,002,037 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fcmdSrchppcb2.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Sandra\AppData\Local\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Sandra\AppData\Local\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Sandra\AppData\Local\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Sandra\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2011/11/29 13:23:21 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKU\S-1-5-21-565932158-212264510-2539292498-1000\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
O4 - HKLM..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe File not found
O4 - HKLM..\Run: [AMFucJFMaVdteYf.exe] C:\ProgramData\AMFucJFMaVdteYf.exe File not found
O4 - HKLM..\Run: [Apanel] C:\ACERSW\config\NewSetApanel.cmd File not found
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [lxbkbmgr.exe] C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers File not found
O4 - HKLM..\Run: [MoneyStartUp10.0] C:\Program Files\Microsoft Money\System\Activation.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRaidService] C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe (Acer Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe (Microsoft® Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-565932158-212264510-2539292498-1000..\Run: [{37E04771-0D69-BB1A-F662-609E08C9BB5B}] C:\Users\Sandra\AppData\Roaming\Loyfz\ovxay.exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10w_ActiveX.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10w_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-565932158-212264510-2539292498-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O9 - Extra Button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{42A4F467-8F06-4D9B-A7EC-F89D639D7B84}: DhcpNameServer = 192.168.1.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4B89E525-B2FE-4E02-B769-D671257BBDE6}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{236af0aa-a248-11df-94da-00218503497f}\Shell - "" = AutoRun
O33 - MountPoints2\{236af0aa-a248-11df-94da-00218503497f}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\{448c0d2c-238c-11de-9138-00218503497f}\Shell - "" = AutoRun
O33 - MountPoints2\{448c0d2c-238c-11de-9138-00218503497f}\Shell\AutoRun\command - "" = J:\LaunchU3.exe
O33 - MountPoints2\{e86c80f0-f67a-11df-8dea-00218503497f}\Shell\AutoRun\command - "" = RECYCLERBIN\autorun32.exe
O33 - MountPoints2\{e86c80f0-f67a-11df-8dea-00218503497f}\Shell\open\command - "" = RECYCLERBIN\autorun32.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/29 13:06:28 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/11/29 10:30:04 | 000,000,000 | ---D | C] -- C:\Program Files\Paint.NET
[2011/11/29 10:29:44 | 000,000,000 | ---D | C] -- C:\Users\Sandra\AppData\Local\Paint.NET
[2011/11/29 10:28:57 | 000,000,000 | ---D | C] -- C:\Users\Sandra\Desktop\Paint
[2011/11/29 10:09:43 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Sandra\Desktop\OTL.exe
[2011/11/29 10:06:50 | 000,000,000 | ---D | C] -- C:\Users\Sandra\Desktop\gmer
[2011/11/29 07:34:18 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\Sandra\Desktop\aswMBR.exe
[2011/11/28 16:32:05 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/11/28 16:31:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/11/28 16:31:27 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/11/25 18:12:54 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/11/25 18:12:19 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netio.sys
[2011/11/25 18:04:58 | 001,566,512 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Sandra\Desktop\tdkiller.com
[2011/11/25 17:55:15 | 000,000,000 | ---D | C] -- C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2011/11/25 17:53:01 | 000,000,000 | ---D | C] -- C:\Users\Sandra\AppData\Local\Google
[2011/11/25 17:52:41 | 000,000,000 | ---D | C] -- C:\Users\Sandra\AppData\Local\Apps
[2011/11/25 17:52:40 | 000,000,000 | ---D | C] -- C:\Users\Sandra\AppData\Local\Deployment
[2011/11/14 20:15:14 | 000,000,000 | ---D | C] -- C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
[2008/08/31 16:23:20 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxbkinpa.dll
[2008/08/31 16:23:20 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxbkiesc.dll
[2008/08/31 16:23:20 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXBKhcp.dll
[2008/08/31 16:23:19 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxbkserv.dll
[2008/08/31 16:23:19 | 000,991,232 | ---- | C] ( ) -- C:\Windows\System32\lxbkusb1.dll
[2008/08/31 16:23:19 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxbkhbn3.dll
[2008/08/31 16:23:19 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxbkpmui.dll
[2008/08/31 16:23:19 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxbklmpm.dll
[2008/08/31 16:23:19 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxbkcoms.exe
[2008/08/31 16:23:19 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxbkih.exe
[2008/08/31 16:23:19 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxbkprox.dll
[2008/08/31 16:23:19 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxbkpplc.dll
[2008/08/31 16:23:18 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxbkcomc.dll
[2008/08/31 16:23:18 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxbkcomm.dll
[2008/08/31 16:23:18 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxbkcfg.exe
[2008/05/28 11:29:13 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[1 C:\Users\Sandra\AppData\Roaming\*.tmp files -> C:\Users\Sandra\AppData\Roaming\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/29 13:31:54 | 000,618,260 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/11/29 13:31:54 | 000,114,416 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/11/29 13:31:47 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{077FCF45-234B-4E35-9958-7D72FB3A0C64}.job
[2011/11/29 13:26:33 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2011/11/29 13:26:25 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/29 13:26:25 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/29 13:26:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/29 13:23:21 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/11/29 12:58:01 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-565932158-212264510-2539292498-1000UA.job
[2011/11/29 11:33:58 | 000,002,627 | ---- | M] () -- C:\Users\Sandra\Desktop\Microsoft Office Word 2007.lnk
[2011/11/29 10:30:53 | 000,000,943 | ---- | M] () -- C:\Users\Public\Desktop\Paint.NET.lnk
[2011/11/29 10:09:45 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Sandra\Desktop\OTL.exe
[2011/11/29 07:34:24 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\Sandra\Desktop\aswMBR.exe
[2011/11/28 16:31:43 | 000,000,922 | ---- | M] () -- C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/11/28 16:31:30 | 000,000,723 | ---- | M] () -- C:\Users\Sandra\Desktop\ERUNT.lnk
[2011/11/28 15:53:41 | 000,403,568 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/11/26 20:57:26 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-565932158-212264510-2539292498-1000Core.job
[2011/11/26 03:18:50 | 000,000,384 | ---- | M] () -- C:\Windows\DCEBOOT.RST
[2011/11/26 03:01:53 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/11/25 18:33:23 | 000,102,400 | ---- | M] () -- C:\Windows\RegBootClean.exe
[2011/11/25 18:32:49 | 000,022,032 | ---- | M] () -- C:\Windows\DCEBoot.exe
[2011/11/25 18:16:27 | 000,000,036 | ---- | M] () -- C:\Users\Sandra\AppData\Local\housecall.guid.cache
[2011/11/25 18:05:06 | 001,566,512 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Sandra\Desktop\tdkiller.com
[2011/11/25 17:55:22 | 000,002,056 | ---- | M] () -- C:\Users\Sandra\Desktop\Google Chrome.lnk
[2011/11/25 17:55:22 | 000,002,018 | ---- | M] () -- C:\Users\Sandra\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/11/25 17:07:44 | 000,000,273 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20111125-170744.backup
[2011/11/25 17:07:44 | 000,000,211 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20111125-170919.backup
[2011/11/14 20:15:15 | 000,000,288 | ---- | M] () -- C:\ProgramData\~ai3h6NmYYVmUXf
[2011/11/14 20:15:15 | 000,000,216 | ---- | M] () -- C:\ProgramData\~ai3h6NmYYVmUXfr
[2011/11/14 20:15:11 | 000,000,336 | ---- | M] () -- C:\ProgramData\ai3h6NmYYVmUXf
[1 C:\Users\Sandra\AppData\Roaming\*.tmp files -> C:\Users\Sandra\AppData\Roaming\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/29 10:30:53 | 000,000,955 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Paint.NET.lnk
[2011/11/29 10:30:53 | 000,000,943 | ---- | C] () -- C:\Users\Public\Desktop\Paint.NET.lnk
[2011/11/28 16:31:43 | 000,000,922 | ---- | C] () -- C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/11/28 16:31:30 | 000,000,723 | ---- | C] () -- C:\Users\Sandra\Desktop\ERUNT.lnk
[2011/11/26 03:18:50 | 000,000,384 | ---- | C] () -- C:\Windows\DCEBOOT.RST
[2011/11/25 18:32:49 | 000,022,032 | ---- | C] () -- C:\Windows\DCEBoot.exe
[2011/11/25 18:32:28 | 000,102,400 | ---- | C] () -- C:\Windows\RegBootClean.exe
[2011/11/25 18:16:27 | 000,000,036 | ---- | C] () -- C:\Users\Sandra\AppData\Local\housecall.guid.cache
[2011/11/25 18:15:13 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2011/11/25 18:13:06 | 000,001,817 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/11/25 17:55:22 | 000,002,056 | ---- | C] () -- C:\Users\Sandra\Desktop\Google Chrome.lnk
[2011/11/25 17:55:22 | 000,002,018 | ---- | C] () -- C:\Users\Sandra\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/11/25 17:53:03 | 000,000,912 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-565932158-212264510-2539292498-1000UA.job
[2011/11/25 17:53:01 | 000,000,860 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-565932158-212264510-2539292498-1000Core.job
[2011/11/14 20:15:15 | 000,000,216 | ---- | C] () -- C:\ProgramData\~ai3h6NmYYVmUXfr
[2011/11/14 20:15:14 | 000,000,288 | ---- | C] () -- C:\ProgramData\~ai3h6NmYYVmUXf
[2011/11/14 20:15:11 | 000,000,336 | ---- | C] () -- C:\ProgramData\ai3h6NmYYVmUXf
[2011/02/10 12:00:07 | 000,008,885 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/02/06 00:15:12 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/01/29 19:31:02 | 000,000,680 | ---- | C] () -- C:\Users\Sandra\AppData\Local\d3d9caps.dat
[2009/10/22 16:12:26 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/10/22 16:12:26 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/23 10:06:15 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2009/09/23 10:06:06 | 000,000,392 | ---- | C] () -- C:\Windows\videoimp.ini
[2009/04/10 17:19:29 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2008/12/16 20:55:52 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/09/11 08:38:24 | 000,000,031 | ---- | C] () -- C:\Windows\UKCpInfo.sys
[2008/09/02 13:16:08 | 000,019,220 | ---- | C] () -- C:\Windows\wwdslcfg.ini
[2008/09/01 10:11:16 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/08/31 16:26:29 | 000,000,359 | ---- | C] () -- C:\Windows\Lexstat.ini
[2008/08/31 16:23:20 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXBKinst.dll
[2008/08/31 16:23:19 | 000,413,696 | ---- | C] () -- C:\Windows\System32\lxbkutil.dll
[2008/08/31 12:54:02 | 000,036,864 | ---- | C] () -- C:\Users\Sandra\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/30 03:14:01 | 000,056,832 | ---- | C] () -- C:\Windows\System32\Iyvu9_32.dll
[2008/08/29 19:50:48 | 000,001,770 | ---- | C] () -- C:\Windows\wininit.ini
[2008/05/28 11:32:14 | 000,000,044 | ---- | C] () -- C:\Windows\Acer(Normal).ini
[2008/05/28 11:32:14 | 000,000,042 | ---- | C] () -- C:\Windows\Acer(Wide).ini
[2008/05/28 11:30:12 | 000,077,824 | ---- | C] () -- C:\Windows\System32\drivers\INT15_DETECT.EXE
[2008/05/28 11:29:13 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2008/03/16 20:42:41 | 000,001,024 | R--- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008/03/16 20:10:10 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2008/03/16 19:16:12 | 000,001,732 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008/03/16 19:03:42 | 000,001,108 | ---- | C] () -- C:\Windows\generic.ini
[2008/03/16 19:03:42 | 000,000,132 | ---- | C] () -- C:\Windows\Alaunch.ini
[2007/02/08 01:57:50 | 000,039,899 | ---- | C] () -- C:\Windows\System32\rtsicis.ini
[2007/01/22 16:49:34 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxbkcoin.dll
[2006/11/02 12:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 12:47:37 | 000,403,568 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 12:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 10:33:01 | 000,618,260 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 10:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 10:33:01 | 000,114,416 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 10:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 10:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 08:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 08:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 07:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2005/10/05 20:19:32 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxbkvs.dll
[2005/09/14 00:27:10 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxbkcnv5.dll
[2005/09/14 00:27:10 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxbkcnv4.dll
[2001/12/26 22:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 05:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 22:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 04:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

< End of report >

[ken545]

I dont see that file any longer. Lets run these through OTL as there infected.

Open OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :processes
  killallprocesses
  
  :OTL
  [2011/11/25 17:07:44 | 000,000,273 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20111125-170744.backup
  [2011/11/25 17:07:44 | 000,000,211 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20111125-170919.backup
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top. <--Not run Scan
• Let the program run unhindered, reboot when it is done
• Then post the results of the log it produces.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

[spikyspud]

Ok, so I have run OLT as directed and also started the ComboFix program (making sure all anti-virus and firewalls were disabled). However the ComboFix program has been running for around 5 hours, since it mentions a scan should only take 10 minutes I am assuming something is wrong!

Just checking if I should reboot and try again?

I am posting this from another machine so don't have access to the OLT log file at the moment (didn't want to disturb the machine in question).

[ken545]

Go ahead and reboot and run Combofix in Safemode

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

[spikyspud]

Hi,

Sorry about the delayed reply, was away from the machine in question today.

I tried running Combofix in safe mode with the same result (it starts up gets to the screen that says scan should take around 10 minutes etc but the it stays there) only this time it was only there for around 2 hours till I rebooted. The log from the OLT reboot is below for your information.

Thanks again for the help, it is very much appreciated.

All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\Windows\System32\drivers\etc\hosts.20111125-170744.backup moved successfully.
C:\Windows\System32\drivers\etc\hosts.20111125-170919.backup moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Sandra
->Temp folder emptied: 89176 bytes
->Temporary Internet Files folder emptied: 18927089 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1158 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5224 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 56184 bytes

Total Files Cleaned = 18.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 11292011_152806

Files\Folders moved on Reboot...
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJGJTH72\emily[1].html moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJGJTH72\redirect_v94_cim_11_16_1[1].html moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJGJTH72\this-means-war-movie-trailer[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8RFN8O6U\iframe3[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8RFN8O6U\sandbox[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8RFN8O6U\xd_receiver[2].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71IA2ZYL\01[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71IA2ZYL\fw-nonplayer-banner[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71IA2ZYL\fw-nonplayer-banner[2].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71IA2ZYL\fw-nonplayer-banner[3].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71IA2ZYL\login_status[5].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71IA2ZYL\sandbox[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z6T4PLZ\01[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z6T4PLZ\01[2].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z6T4PLZ\B5767896;sz=728x90;ord=162421308[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z6T4PLZ\emily[1].html moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z6T4PLZ\iframe3[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z6T4PLZ\if[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z6T4PLZ\okinsider-303350-11-23-2011[1].mp4 moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z6T4PLZ\okinsider_mevio_com[1].htm moved successfully.
File move failed. C:\Windows\temp\CLDigitalHome\CLMS_AGENT_LOG1.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\CLDigitalHome\PCMMediaServer.log scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[spikyspud]

Hi,

Sorry about this, I tried running Combofix again in Normal Mode and it worked this time (I must have forgotten to run as admin I guess). Log is below:

ComboFix 11-11-29.04 - Sandra 30/11/2011 18:00:22.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1791.962 [GMT 0:00]
Running from: c:\users\Sandra\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\QuestBrowse
c:\programdata\QuestBrowse
c:\users\Sandra\AppData\Roaming\.#
c:\users\Sandra\AppData\Roaming\~eu37.tmp
c:\users\Sandra\AppData\Roaming\Loyfz\ovxay.exe
c:\users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
c:\users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk
c:\users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-30 )))))))))))))))))))))))))))))))
.
.
2011-11-30 18:31 . 2011-11-30 18:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-30 17:49 . 2011-11-30 17:49 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{401E10A1-D24A-40F4-A8B3-07FD468C4BE2}\offreg.dll
2011-11-30 17:49 . 2011-10-18 01:28 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{401E10A1-D24A-40F4-A8B3-07FD468C4BE2}\mpengine.dll
2011-11-29 13:06 . 2011-11-29 13:06 -------- d-----w- C:\_OTL
2011-11-29 10:30 . 2011-11-29 10:30 -------- d-----w- c:\program files\Paint.NET
2011-11-29 10:29 . 2011-11-29 11:01 -------- d-----w- c:\users\Sandra\AppData\Local\Paint.NET
2011-11-28 16:31 . 2011-11-28 16:31 -------- d-----w- c:\program files\ERUNT
2011-11-26 06:58 . 2011-10-18 01:28 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-26 03:01 . 2011-10-18 01:28 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-11-25 18:32 . 2011-11-25 18:32 22032 ----a-w- c:\windows\DCEBoot.exe
2011-11-25 18:32 . 2011-11-25 18:33 102400 ----a-w- c:\windows\RegBootClean.exe
2011-11-25 18:24 . 2011-10-04 17:22 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0CA667F3-4AD4-44EF-8E51-30B640B6B0F6}\gapaengine.dll
2011-11-25 18:12 . 2011-11-26 03:18 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-25 18:12 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-11-25 17:53 . 2011-11-25 17:55 -------- d-----w- c:\users\Sandra\AppData\Local\Google
2011-11-25 17:52 . 2011-11-25 17:52 -------- d-----w- c:\users\Sandra\AppData\Local\Apps
2011-11-25 17:52 . 2011-11-25 17:52 -------- d-----w- c:\users\Sandra\AppData\Local\Deployment
2011-11-25 17:49 . 2011-10-18 02:28 6668624 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ECF9781C-491C-4842-B0A4-515C40902621}\mpengine.dll
2011-11-09 15:04 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-09 15:04 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 15:04 . 2011-09-20 21:02 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 15:04 . 2011-09-20 13:44 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-30 23:06 . 2011-10-12 17:31 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 17:31 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 17:31 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 17:31 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 17:31 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 17:31 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 17:31 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 17:31 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-19 09:26 . 2011-09-19 09:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:30 . 2011-10-12 17:31 2043392 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-11 4702208]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-21 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-21 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-21 81920]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-12-07 196128]
"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 74672]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 245810]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-23 98304]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe" [2011-09-19 243360]
.
c:\users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-16 535336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-565932158-212264510-2539292498-1000]
"EnableNotificationsRef"=dword:00000001
.
R1 cudoxygl;cudoxygl;c:\windows\system32\drivers\cudoxygl.sys [x]
R1 elootrcg;elootrcg;c:\windows\system32\drivers\elootrcg.sys [x]
R1 ikmqmlcs;ikmqmlcs;c:\windows\system32\drivers\ikmqmlcs.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GemCCID;GemCCID;c:\windows\system32\Drivers\GemCCID.sys [2009-08-10 89600]
R3 iadusb;MT882;c:\windows\system32\DRIVERS\glauiad.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2007-07-16 30752]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
S2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe [2007-04-26 537520]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-565932158-212264510-2539292498-1000Core.job
- c:\users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-25 17:53]
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-565932158-212264510-2539292498-1000UA.job
- c:\users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-25 17:53]
.
2011-11-30 c:\windows\Tasks\User_Feed_Synchronization-{077FCF45-234B-4E35-9958-7D72FB3A0C64}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-{37E04771-0D69-BB1A-F662-609E08C9BB5B} - c:\users\Sandra\AppData\Roaming\Loyfz\ovxay.exe
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKLM-Run-Apanel - c:\acersw\config\NewSetApanel.cmd
HKLM-Run-Microsoft Works Portfolio - c:\program files\Microsoft Works\WksSb.exe
HKLM-Run-AMFucJFMaVdteYf.exe - c:\programdata\AMFucJFMaVdteYf.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-30 18:32
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,95,49,ae,f0,c9,2e,f7,4e,81,d2,d4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,95,49,ae,f0,c9,2e,f7,4e,81,d2,d4,\
.
Completion time: 2011-11-30 18:49:22
ComboFix-quarantined-files.txt 2011-11-30 18:48
.
Pre-Run: 94,905,528,320 bytes free
Post-Run: 94,005,059,584 bytes free
.
- - End Of File - - 6034BDE98959EB3BC9CF5CAE8A979768

[ken545]

Hi,

There are a few suspicious driver files on your system that we need to check.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

c:\windows\system32\drivers\cudoxygl.sys
c:\windows\system32\drivers\elootrcg.sys
c:\windows\system32\drivers\ikmqmlcs.sys


If the site is busy you can try this one
http://virusscan.jotti.org/en

[spikyspud]

Hi,

I tried to locate the files indicated but can't find them anywhere in the system32 directory, also carried out a search across all drives (incl. hidden and system files with no result). Have attached a full list of files in the system32 directory in case it was any use what so ever!?